Static Source Code Audit On Terminal Using Bash Functions

• GIT: Code was in git, so all the files I checked out also had compiled jars, libraries, etc.
• Complex grep: A quick and dirty grep will not give you context or show you in a fast an easy way where it is.
• Messy Process: After a few hours, you tend to hate to ctrl-r finding that grep, and either redirect into files will get messy if there is no structure

So I guess everything was setup and ready for it, so after running something as easy as some greps for a bunch of functions to make sure they didn’t have anything weird going on I needed logs and a decent output from everything, so ended up creating a very simple grep:

Here is the result of a quick call for strcpy() on an android-sdk directory as an example.

Command: grep For strcpy

Output: strcpy Located

Ahhh that is so much better! At least we have now the line of the hit, the match and the filename on a more readable output, as you can see it’s a long line and if you are hitting interesting functions such as impersonation, token generation, which are custom functions. Doing ctrl-R then ctrl-A to go to the beginning of the line and change stuff is a bit annoying to say the least so I got lazy and created this in the .bashrc file.

.bashrc Shortcut Addition Modification:

So this basically checks that you put the pattern and directory as arguments, if you don’t might as well send you an usage if not, just run the same command as before, you could add more grep -v (as you will see in the auditjava() function I created later) to remove unwanted compile files, libraries, etc.

Resource Bash:

You can just call “search” as a bash function and get the output without any ctrl- magic or moving things around.

New Shortcut Commands Making Your Life Easier:

The old search commands from above would now be much easier as shown below with our new bash shortcuts.

Command:

Output:

And so forth, so the output obviously is the same, but it’s easily called and can be recalled faster and is honestly a cleaner output for logs, screenshots and your mind has a cleaner path of just remembering search than a huge blob of grep | grep -v | grep -v | awk

This small function is a good thing to have around the entire bash if you are going to check a lot of function calls.

Now its “Java Audit” time!!! This function will allow you to call it form whenever you are and you will get 3 logs inside a folder called security_logs created in the same directory from where it was called (Obviously).

The rc file defines a function called auditjava(), what will it do? it will look for “dangerous” functions, that are the usual culprits on the bugs :)

• system()
• `
• getRuntime(),Runtime, .exec
• preparedStatement(), executeQuery(), execute(), addBatch(), executeBatch()
• getParameter, getQueryString, getHeader, getRequestURL, getCookies, getInputStream, getReader, getMethod, getProtocol, getServerName, getRemoteUser, getUserPrincipal

It sill create 3 files within the security_logs directory:

• command_injection.log
• sql_functions.log
• user_input.log

Well I won’t keep you more, this is the rc file:

If saved in a file called auditjava.rc for example, it can be sourced as shown below.

Source auditjava.rc In Bash Terminal:

This allows you to be able to call and run it within the terminal whenever you need. Happy bug hunting!

See larger image Linux Command Line and Shell Scripting Bible, Second Edition (Paperback) List Price: $49.99 New From: $60.54 USD In Stock Used from: $5.98 USD In Stock

See larger image The Linux Command Line: A Complete Introduction (Paperback) List Price: $39.95 USD New From: $31.96 USD In Stock Used from: $22.50 USD In Stock